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| 1. DNI Exploitation System/Analytic Framework 
| 2. Performs strong (e.g. email) and soft (content) selection 
| 3. Provides real-time target activity (tipping) 
| 4. "Rolling Buffer" of »3 days of ALL unfiltered data seen by 
| XKEYSCORE: 
| e Stores full-take data at the collection site - indexed by meta-data 


e Provides a series of viewers for common data types 


1. Federated Query system - one query scans all sites 


e Performing full-take allows analysts to find targets that were 
previously unknown by mining the meta-data 
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e Small, focused team 

e Work closely with the analysts 

e Evolutionary development cycle (deploy early, deploy often) 
e React to mission requirements 

e Support staff integrated with developers 

e Sometimes a delicate balance of mission and research 
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Massive distributed Linux cluster 


Over 500 servers distributed around the world 


System can scale linearly - simply add a new 
server to the cluster 


Federated Query Mechanism 
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Approximately 150 sites 


Over 700 servers 
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Processing Speed 


TURMOIL/TURBULENCE 


Depth 


Processing 


XKEYSCORE 
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| Why y do shallow __ 


e Can look at more data 


e XKEYSCORE can also be configured to 
go shallow if the data rate is too high 
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e Strong Selection itself give us only a very 
limited capability 


e A large amount of time spent on the web is 
performing actions that are anonymous 


e We can use this traffic to detect anomalies 
which can lead us to intelligence by itself, or 
strong selectors for traditional tasking 
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What) XKS does with th 


Plug-ins extract and index metadata into 

E tables 

[sessions] — —» [processing engine] ——— (database) &——> (user queries) 
> phone numbers 
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| E-mail Addresses 


Extracted Files 


Full Log 


| HTTP Parser 
| Phone Number 


User Activity 
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DESCRIPTION 


Indexes every E-mail address seen in a session by 
"both username and domain 


Indexes every file seen in a session by both filename 
and extension 


Indexes every DNI session collected. Data is 
indexed by the standard N-tupple (IP, Port, 


 Casenotation etc.) 


| Indexes the client-side HTTP traffic (examples to 
follow) 


Indexes every phone number seen in a session (e.g. 


address book entries or signature block) 


Indexes the Webmail and Chat activity to include 


username, buddylist, machine specific cookies etc. 
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e Anything you wish to extract 
e Choose your metadata 

e Customizable storage times 

e Ex: HTTP Parser 


GET /search?hl=en&q=1slamabad&metaf HTTP/1.0 

Accept: image/gif, 1mage/x-xbitmap, image/jpeg, e ipe, application/vnd.ms- 
application/msword, application/x-shockwave-flash, */* 

Referer: p://WWW. 9009 e.com.p 


er-Agent; Mozilla/4,0 (compatible; 
Host; www, google, com, pi 
| 


Connection: keep-al1ve 
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- Finding Targets d 


e How do I find a strong-selector for a known 
target? 


e How do I find a cell of terrorists that has no 
connection to known strong-selectors? 


e Answer: Look for anomalous events 


e E.g. Someone whose language is out of place for the 
region they are in 


e Someone who is using encryption 
e Someone searching the web for suspicious stuff 
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Ee. : ncryption 


e Show me all the encrypted word 
documents from Iran 


e Show me all PGP usage in Iran 


e Once again - data volume too high so 
forwarding these back is not possible 


e No strong-selector 


e Can perform this kind of retrospective 
query, then simply pull content of interest 
from site as required 
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e Show me all the VPN startups in 
country X, and give me the data so I 
can decrypt and discover the users 


e These events are easily browsable in 
XKEYSCORE 


e No strong-selector 


e XKEYSCORE extracts and stores authoring 
information for many major document types - can 
perform a retrospective survey to trace the 
document origin since metadata is typically kept for 
up to 30 days 


e No other system performs this on raw unselected 
bulk traffic, data volumes prohibit forwarding 
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e Traditionally triggered by a strong-selector 
event, but it doesn't have to be this way 


e Reverse PSC - from anomalous event back to 
a strong selector. You cannot perform this 
kind of analysis when the data has first been 
strong selected. 


e Tie in with Marina - allow PSC collection after 
the event 
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i La nguage Tracking. 


e My target speaks German but is in 
Pakistan - how can I find him? 


e XKEYSCORE's HTTP Activity plugin extracts 
and stores all HTML language tags which 
can then be searched 


e Not possible in any other system but 
XKEYSCORE, nor could it be - 


e volumes are too great to forward 
e No strong-selector 
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an. do gle Maps 


e My target uses Google Maps to scope target 
locations - can I use this information to 
determine his email address? What about the 
web-searches - do any stand out and look 
suspicious? 


e XKEYSCORE extracts and databases these events 
including all web-based searches which can be 
retrospectively queried 


e No strong-selector 
e Data volume too high to forward 
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He D ocument Trackin 


e I have a Jihadist document that 
has been passed around through 
numerous people, who wrote this 
and where were they? 
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“Inte resti ng Document Disce 


e Show me all the Microsoft Excel spreadsheets 
containing MAC addresses coming out of Iraq 
so I can perform network mapping 


e New extractor allows different dictionaries to run on 
document/email bodies - these more complex 
dictionaries can generate and database this 
information 


e No strong-selector 
e Data volume is high 
e Multiple dictionaries targeted at specific data types 
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e Show me all the exploitable machines in 
country X 


e Fingerprints from TAO are loaded into 
XKEYSCORE's application/fingerprintID 
engine 


e Data is tagged and databased 
e No strong-selector 


e Complex boolean tasking and regular 
expressions required 
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Discovery of new target web s 


e New web services every day 


e Scanning content for the userid 
rather than performing strong 
selection means we may detect 
activity for applications we 
previously had no idea about 
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"Sen Extractior 


Have technology (thanks to R6) - for 
English, Arabic and Chinese 


Allow queries like: 

Show me all the word documents with 
references to IAEO 

e Show me all documents that reference 
Osama Bin Laden 

Will allow a 'show me more like this" 
capability 
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High Speed Selection 
Toolbar 

Integration with Marina 
GPRS, WLAN integration 
SSO CRDB 

Workflows 

Multi-level Dictionaries 
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e High speeds yet again (algorithmic and Cell 
Processor (R4)) 

e Better presentation 

e Entity Extraction 

e VoIP 

e More networking protocols 


e Additional metadata 
e Expand on google-earth capability 
e EXIF tags 
e [Integration of all CES-AppProcs 


e Easier to install/maintain/upgrade 
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